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AN OVERVIEW OF THE STATE OF THE ART FOR 
PRACTICAL QUANTUM KEY DISTRIBUTION 

DANIEL D. MOSKOVICH 


Abstract. This is an overview of the state of the art for quantum key 
distribution (QKD) as of March 2015. It is written by a non-expert for 
non-experts. Additions and corrections are welcome. 


1. Introduction 

The goal of this overview to concisely summarize, in a way that is acces¬ 
sible to a non-expert, where practical Quantum Key Distribution (QKD) 
stands now in early 2015 and what seem to be promising directions for the 
near future to the best of the author’s knowledge and understanding. 

We begin with a general overview of what QKD is, followed by a dis¬ 
cussion of the major practical QKD players at the moment, a discussion of 
protocols, and a discussion of photon sources, transmission, and detection. 
We conclude with a section on attacks against QKD. 

2. What is quantum key distribution? 

Quantum key distribution (QKD) uses principles of quantum information 
theory to ensure secure communication (Weisner, 1983; Bennett & Brassard, 
1984; Ekert, 1991). Its goal is for two parties called (A)lice and (B)ob 
to share a secret key made up of Os and 1 s which they will later use to 
encrypt and decrypt communications between them. The information used 
to compose the key is carried between Alice and Bob on qubits (two state 
quantum systems). 

The SECOCQ White Paper convincingly argued that QKD is a form of 
trusted courier (Alice hands a message to somebody she trusts, who carries 
that to Bob), so that it is useful in contexts in which a trusted courier 
would be useful (SECOQC, 2007). With idealized hardware and with perfect 
accuracy, the advantages of QKD over classical trusted courier methods 
would be; 

• Mathematically-proven security against all classical and quantum 
attacks. 

• Alice and Bob can detect any active attempt by an eavesdropper 
(E)ve to eavesdrop on the key distribution process. 
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The Black Paper of Quantum Cryptography convincingly argued that real- 
life QKD security is less than perfect, so that each different QKD setup 
should be carefully and individually studied to assure its security (Scarani 
& Kurtsiefer, 2014). All security threats discovered so far have been re¬ 
deemable, and we have no reason to believe that any given QKD setup 
cannot be made perfectly secure against all known attacks in principle. 

Real world QKD has become a focus of interest for industrial players, for 
governments, and for security agencies. 


3. Fundamental challenges 

A number of fundamental challenges to the widescale use of QKD have 
been identified (Pritchard & Till, 2010). 

(1) Limited transmission rate and range. Both the range and the maxi¬ 
mal bit-rate of QKD are low compared to classical communications. 
It is considered technologically impossible, for instance, to transmit 
a polarized photon reliably over more than 400km of fiber, although 
quantum repeaters will allow for longer range QKD. 

(2) QKD protocols are fundamentally point-to-point, and do not inte¬ 
grate with packet-based protocols such as those used on the internet. 

(3) QKD requires expensive special-purpose hardware such as single¬ 
photon sources and detectors. Such hardware is difficult to upgrade 
and to maintain. 

(4) QKD addresses only one aspect of the security problem. For example 
authentication and integrity are not covered and must be handled 
classically. 

(5) There is nothing fundamentally wrong with existing classical cryp¬ 
tographic techniques. Even if some classical ciphers {e.g. RSA) may 
be cracked using quantum algorithms at some unspecified point in 
the future, other classical ciphers are being developed that would be 
immune to quantum attacks. 

(6) Because it is a new technology, there are potential discovered and 
undiscovered vulnerabilities in practical QKD systems. Indeed, sev¬ 
eral proposed conditions for unconditional security of practical im¬ 
plementations were found wanting and had to be revised, e.g. be¬ 
cause key-length is finite while many security proofs assume infinite- 
length keys (Inamori, Liitkenhaus & Mayers, 2007; Tomamichel et al., 
2012), or because the quantum effect of locking might allow un¬ 
expectedly large information leak during the error-correction and 
privacy amplification steps (Konig et al., 2007; Iwakoshi & Hirota, 
2014; Yuen, 2013; Portmann & Renner, 2014). Commercial QKD 
systems have been successfully hacked (Section 12.4). Because QKD 
is unconditionally secure while the security of any quantum protocol 
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Microwave apparatus used in quantum experiments. Retrieved 
from http://www.foxnews.com/tech/2013/05/08/quantum- 
network- secret ly-running-for-2-years/ 


implementation is a probabilistic quantitative matter, these vulner¬ 
abilities will in principle never be fatal flaws. But each new vulner¬ 
ability might require re-tuning of parameters and modifications to 
technological implementation. 

4. Advantages of QKD 

(1) QKD provides the possibility to establish a secret key in a way that 
is provable secure against eavesdropping. Moreover, QKD can be 
composed with other encryptions, so as to provide an additional layer 
of security for an already secure message. For example a message 
encrypted using an RSA public key may be once again encrypted 
using a quantum key. To intercept the message, an attacker would 
have to break both the quantum key and the classical key. 

(2) Eavesdropping can be detected, following which countermeasures 
may be adopted. This capability distinguished QKD from among 
all encryption methods. 

(3) Expertise and knowledge gained in QKD research will, in large part, 
be useful for developing future technologies in future manifestations 
of the coming quantum revolution predicted by Michael Berry when 
he said, “It is easy to predict that in the twenty-first century, it will 
be quantum mechanics that influences all our lives.” Berry (1998). 

5. World QKD projects 

5.1. Large scale networks. In the last 10 years, a number of multi-user 
QKD networks have been constructed. All use relay between trusted nodes 
and optical switching. The first of these was the 10-node DARPA Quantum 
Network which has been operating since 2004 (Elliot et al, 2005). It uses ac¬ 
tive optical switching (ie. an electrically powered switching device similar to 
a router) to distribute the key between pairs of nodes. It is being developed 
by BBN Technologies, Harvard University, Boston University and QinetiQ, 
with the support of the US Defense Advanced Research Projects Agency 
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(DARPA). The SECOQC (Secure Communication Based on Quantum Cryp¬ 
tography) Quantum Network is an EU project which integrated several dif¬ 
ferent QKD systems into one quantum backbone (QBB) network, developing 
a cross-platform interface (http://www.secoqc.net/). This provided im¬ 
petus for the European Telecommunications Standards Institute (ETSI) to 
launch an industry specification group for QKD (ISG-QKD)in order to cre¬ 
ate universally accepted QKD standards (ETSI, 2015). The Swiss Quantum 
Network and the Durban Network are testing long-term QKD operation in 
field environments (http://swissquantum. idquantique. com and (Mirza 
& Petruccione, 2010)). Transparent network implementation of QKD using 
only beam splitters, which facilitate secure communication without requir¬ 
ing clients to be reconfigured, have been demonstrated by several groups 
(Telecordia Technologies, Universidad Politecnica de Madrid and Telefonica 
Investigacion y Desarrollo, and two teams from the University of Science 
and Technology of China). The Tokyo QKD network used a central Key 
Management Service (KMS) and newer technologies to increase its speed to 
the point of transmitting a QKD-secured live teleconference between two 
nodes (Sasaki et al, 2011). This is suitable for government or municipal 
settings in which one central body controls the flow of information. Mit¬ 
subishi combined this system with an application for secure telephony to 
demonstrate QKD-secured mobile telephony (Mitsubishi, 2015). Pinally, 
Los Alamos National Laboratory (LANL) runs a hub-and-spokes one-to- 
many quantum network (Hughes et al, 2013). The LANL photon generator 
has been miniaturized to around the size of a house key. 

China is currently constructing a 1200-mile line between Beijing and 
Shanghai as part of a proposed 20-node QKD network which it aims to 
complete in 2016. Its current network, the Hefei-Chaohu-Wuhu wide area 
QKD network, is the largest in the world (Wang et al, 2014). To overcome 
the need to use trusted nodes, where one compromised node could impact 
the security of the entire network, there has been work aimed at using tech¬ 
niques of classical multiple access optical communication in the quantum 
context (Sarwar Pasha & Bala Ram, 2014). Such technologies have been 
applied for one part of the DARPA network, and also for an experimen¬ 
tal three-node network at NIST (see http://www.nist.gov/itl/quantum/ 
threeusernetwork.cfm). 

Taking the above technologies into account, the Engineering Science and 
Research Council (EPSRC) estimated in their 2014 report that hand-held 
QKD systems should be commercially available “with sufficient investment 
and encouragement” within 4-7 years, and that long-range highly-connected 
quantum networks should become available within 10-25 years (EPSRC, 
2014). 

5.2. University Centres. There are a growing number of university cen¬ 
ters in the world which specialize in quantum communication. We list a few 
of the most active. 
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Artist’s conception of quantum key distribution over free space 
ground to satellite quantum information links. Retrieved from 
http://www.esa.int/ESA 


The world’s foremost dedicated quantum communications center is the 
Group of Applied Physics (GAP) at Geneva University (http://www. 
unige. ch/gap/quantum/) and their commercial spinoff company Id Quan- 
tique (http://www.idquantique.com/). They have developed what is to¬ 
day the world’s best single photon detector (Korzh et al., 2014) with which 
they have achieved the current world record distance for QKD through hber 
(Korzh et ai, 2015). They also produce and sell photon detectors and ran¬ 
dom number generators using patented technologies. 

The Gentre for Quantum Technologies (GQT) in Singapore, directed by 
Ekert who developed the E91 protocol, specializes in quantum hacking http: 
//www. quantumlah. org/. They have developed several successful attacks, 
which have taken advantage both of side-channels {e.g. (Lamas-Linares 
& Kurtsiefer, 2007)) and of erroneous parameters in security proofs {e.g. 
(Gerhardt et al, 2011)). 

The Institute of Quantum Gomputing (IQG) in Waterloo also has a re¬ 
search group working on QKD. It is directed by Norbert Liitkenhaus, who 
previously worked at MagiQ to develop practical QKD. Vadim Makarov of 
that group discovered some successful side-channel attacks against QKD 
{e.g. (Makarov et al, 2006; Makarov, 2009)). 

The Key Laboratory of Quantum Information is Ghina’s leading quan¬ 
tum information center, which is creating the world’s longest and most so¬ 
phisticated QKD networks http://en.physics.ustc.edu.cn/research_ 
9/Quantum/201107/t20110728_116550.html. 

5.3. Commercial companies. A number of commercial companies sell 
QKD systems and related devices. MagiQ Technologies in the US sells 
the QPN-8505, a QKD system which combines BB84 QKD with classi¬ 
cal 3DES and AES encryption (http://www.magiqtech.com/). It works 
using decoy-state optimized BB84, with a secure key rate of 256Hz over 
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100km, or 140km with decoy states. In Europe the leading QKD com¬ 
pany is Id Quantique, whose flagship product is the Clavis2, a pure QKD 
system (http://www.idquantique.coni/). Clavis2 implements both BB84 
and SARG04, with secure key-rates of around IKHz on a 25km fiber. Se- 
QureNet is a Paris-based company that produces QKD parts and that 
specialized is continuous variable (CV) QKD (http://sequrenet.com). 
Quintessence Labs in Australia provides true random number generators 
(http://www.quintessencelabs.com/). 

6. Protocols 

6.1. BB84. The most widely used QKD protocol, which was also the world’s 
first QKD protocol, was developed by Bennett and Brassard in 1984, and 
is called BB84. It is typically divided into three layers: The physical layer 
in which the quantum communication is carried out,the key-extraction in 
which the actual key is extracted from the qubits that Alice sent to Bob, and 
the key-application layer where the secret key is used to encode a commu¬ 
nication such as a telephone or a video conversation (Bennett et al, 1992; 
Gisin et al., 2002). 

In the physical layer, Alice sends random photons, 1 with 50% probability 
and 0 with 50% probability, either in the so-called X basis or in the so-called 
Z basis, each with 50% probability. Bob measures each bit he receives in 
a random basis, either in the X basis with 50% probability, or in the Y 
basis with 50% probability. This is the hardware-intensive portion of the 
protocol, for which good random-number generators, single-photon sources, 
and single-photon detectors are required. 

In the key-extraction layer, BB84 becomes classical. The first classical 
sublevel is called sifting. Alice and Bob both reveal which bases they used 
over a public channel. They then discard the bits which they measured in 
different bases. The second sublevel is called authentication. In it, Alice and 
Bob compare some of their sifted bits over the public channel to determine 
whether eavesdropping has occurred. If the bits they compare are more 
different than can be accounted by from random noise, then they can guess 
that Eve has eavesdropped, and adopt countermeasures. The reason that 
they can make this deduction is that Eve’s direct attack, intercept-resend 
REF, would involve measuring some of the bits sent by Alice, and sending 
them on to Bob. But since Eve does not know which basis was originally 
used by Alice, she will choose the wrong basis with 50% probability, and if 
she chooses the wrong basis then she will send the wrong qubit to Bob, and 
that incorrect qubit will survive into the sifted key with 50% probability. 
The third sublevel is called error eorrection. In it, Alice and Bob apply 
classical error-correcting algorithms to remedy the effect of random errors 
caused by channel noise and by the fact that equipment is non-ideal. The 
fourth and final level is called privaey amplifieation, in which Alice and 
Bob apply classical cryptography algorithms to minimize the effect on the 
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The BB84 protocol. Figure retrieved from http: //swissquantum. 
idqucintique. com/?Key-Sifting. 


final key of any under-the-radar eavesdropping by Eve. In other words, 
security of a QKD key is always a quantitative affair because of non-ideal 
equipment and channel noise, so some non-trivial information might have 
been picked-up by Eve without being detected in the authentication phase. 
But the amount of leaked information is guaranteed to be below a certain 
threshold, and privacy amplification can negate the knowledge about the 
final key which that partial information imparts. 

6.2. Modified BB84 protocols. The best known modification of BB84 
is SARG04, which adapts it for use with attenuated laser pulses (Scarani 
et al., 2004). SARG04 is more robust than BB84 against so-called ‘coherent 
attacks’, but unfortunately it performs worse against certain ‘incoherent 
attacks’ (Branciard et ai, 2005). 

Lo, Ghau, and Ardehali presents a modification of BB84 which essentially 
doubles its efficiency (Lo et al, 2005b). The key differences are that signif¬ 
icantly different probabilities are assigned to the two bases so that few bits 
are discarded, and that key extraction is performed separately for data in 
each of the bases. The Gambridge-Toshiba team further improved efficiency 
and included decoy states, developing a new protocol called T12 (Lucamarini 
et al, 2013). The authors prove it to be unconditionally secure. As of Feb¬ 
ruary 2015, this is the protocol with which the highest ranges and secure 
key rates have been obtained (Korzh et al., 2015). 

Decoy state QKD comes to solve the problem that the secure key rate of 
a quantum key from a coherent source scales like the square of the trans¬ 
mittance (the proportion of photons that make it through from Alice to 
Bob) of the medium, and thus a secure key becomes too long to be practical 
when it must be transmitted for long distances. For decoy-state QKD, the 
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key length scales like the transmittance. Three-source decoy-state QKD was 
what was used in (Lucamarini et al, 2013). Decoy state QKD works also 
with non-coherent sources such as PDC sources (Ma &: Lo, 2008). 

Additionally, there has been work on measuring-device independent (MDI) 
QKD, in which Alice and Bob independently prepare phase randomized co¬ 
herent pulses in one of the four BB84 states (with decoy states) and send 
these to an untrusted third party, Charlie. Charlie then performs Bell state 
measurements (BSM), and announces to Alice and Bob over a public channel 
the successful BSM events. Alice and Bob can get a sifted key by dropping 
events where they sent pulses in different bases (Wang, 2013). This has been 
implemented and gives good key rates in the laboratory (Tang et al, 2014). 
A further improvement has been examined, using four-source decoy states 
(Jiang et al., 2015). 

There has been recent work to modify the BB84 protocol to deal with 
higher bit error rates on the sifted key, in order to distribute quantum keys 
for longer distances without using repeaters in a way that is compatible with 
optical amplification (Hughes & Norholdt, 2014). 

6.3. Continuous Variable (CV) QKD. Continuous-variable (CV) QKD 
protocols employ continuous or discrete modulations of the quadratures of an 
electromagnetic field. CV-QKD setups rely on a coherent detection between 
the quantum signal and a classical reference signal, and their implementa¬ 
tion requires only standard telecom components. They are compatible with 
wavelength division multiplexing, which greatly eases their deployment into 
telecommunication networks. They should be easier to integrate on silicon 
photonics chips (Jouguet et al., 2013; Kumar, Qin, & Alleaume, 2014). 

The bottleneck for CV-QKD is a classical cryptography problem, that 
of error-correction. For a long time, the range of CV-QKD was limited to 
25-30km. New error-correcting codes have improved this range to 80km 
(Jouguet et al., 2012). SeQureNet’s Cygnus module for CV-QKD features 
this range (http://sequrenet.com/products.html). Currently, CV-QKD 
keyrates are competitive with DV-QKD keyrates up to about 30km. But it 
may be more difficult to increase ranges for CV-QKD than for DV-QKD be¬ 
cause security proofs for CV-QKD are penalized heavily for finite size effects. 
An additional concern is that CV-QKD is a newer technology, and therefore 
has different vulnerabilities, some of which may be unmapped. Several po¬ 
tential vulnerabilities have been identified and addressed in (Jouguet, Kunz- 
Jacques, & Diamanti, 2013; Huang et al., 2014; Kunz-Jacques & Jouguet, 
2015). 

Considering the above, CV-QKD should be considered a promising future 
technology for medium-range QKD. The state of the art for CV-QKD is 
surveyed in (Jouguet et al., 2014). 

6.4. Entanglement-based protocols. There are a number of protocols 
involving entangled pairs of photons, chief among these being E91 (Ekert, 
1991). In E91, Alice and Bob each have half of an entangled state (EPR pair. 
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or singlet). The working concept of this scheme is that there is nothing for 
Eve to intercept, as the qubit state manifests only after a measurement has 
been made. If Eve attempts an intercept-resend attack, her measurement 
will break the entanglement between the photons. 

The protocol proceeds as follows. Alice and Bob each choose one of two 
different bases to measure, with 50% probability of choosing one basis and 
50% probability of choosing the other. After having performed their mea¬ 
surements, they disclose which bases they used over a public channel. If 
the results of measurements which were made in different bases violate 
Bell inequalities, then the state is still entangled and there has been no 
eavesdropping. 

Despite being theoretically more secure than BB84 and its variants (fewer 
side-channels and thus fewer bits required for a secure key), entanglement- 
based protocols are not currently considered to be practical for long-range 
large-scale systems because of the difficulty of controlling entangled pairs 
caused by decoherence (Scarani & Kurtsiefer, 2014). 

6.5. Counterfactual QKD. Tae-Gon Noh has demonstrated that a QKD 
can be achieved ostensibly without sending the key through the quantum 
channel (Noh, 2009). The quantum principle in play is that the possibility 
of sending a photon can be detected even if the photon is seemingly not 
actually sent. Counterfactual QKD has been demonstrated experimentally 
in the laboratory (Liu et al, 2011). 

7. Real-time key extraction 

Key generation bandwidth in a pure CPU-based implementation has been 
shown to saturate at rates of around IMHz (Restelli et al., 2009). High 
speed QKD networks routinely exceed this data rate— for example, the 
NIST system generates sifted keys at around 2MHz and has a maximal 
capacity above 30MHz. For secure real-time practical applications, GHz 
data rates are anticipated. In order to shift the bottleneck from the classical 
computation layer back to the physical layer where it should be, hardware- 
based implementations have become necessary. 

Sifting is computationally straightforward, and is relatively easy to per¬ 
form at high speed. There is good privacy-amplification software which can 
work directly on a CPU-based system (Zhang et al., 2014), and the Wegman- 
Carter strongly universal hashing method, as used by e.g. Id Quantique, is 
also good. It is the error correction step which is complicated and which 
sets a hard upper limit on the secure key rate. 

The Cascade error-correction algorithm, developed for QKD in (Brassard 
& Salvail, 1994), is the fastest at current data rates, and is best implemented 
in a Field Programmable Gate Array (FPGA) because it requires many sim¬ 
ple but different logical bit-level operations. When the NIST QKD network 
began to exceed data rates of IMHz, implementation of the Cascade algo¬ 
rithm was moved to hardware (Mink et al., 2006). The maximal throughput 
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they were able to achieve was 12MHz in theory, but they were not able to 
approach that limit in a practical system due to timing jitter in their pho¬ 
ton detectors (Mink & Bienfang, 2013). The Wuhu metropolitan area QKD 
network uses a similar FPGA-based system (Zhang et al., 2012). 

For next-generation real-time error correction as data rates push towards 
the GHz mark, the Low-Density Parity-Gheck (LDPG) algorithm is expected 
to replace the Cascade algorithm for error correction (Elkouss et al., 2009). 
The LDPC algorithm requires 20 to 30 bytes of memory per bit of data 
being corrected, as opposed to 1 or 2 bytes for the Cascade algorithm. On 
an FPGA, LDPC implementation rates of up to 607MHz have been reported 
(Mhaske et al., 2015). The current fastest implementation of the LDPC 
algorithm runs on a GPU-based system (Falcao et al., 2009) and has been 
tested for QKD (Martinez-Mateo et al, 2013; Dixon & Sato, 2014). For even 
faster rates, LDPC performance of 47 GHz has been reported for a custom 
chip implementation but not in the context of QKD (Zhang et al., 2009). 


8. Hardware: Photon sources 

A common method of encoding qubits is the use of polarized photons 
(less common methods include time-bin encoding (Marcikic et al, 2002) 
and frequency encoding (Zhu et al., 2011)). To preclude photon number 
splitting attacks, each qubit should be sent on a single photon. 

The ideal single-photon source would send a single photon 100% of the 
time whenever the user wishes (“on demand”), would send multiple photons 
0% of the time, and the photons it sends would be indistinguishable. 

If a photon cannot be sent 100% of the time on demand, the detector 
might have to be left on for a longer time, increasing ‘dark count’ (detection 
of photons which were not sent to it) and thus increasing noise. If the source 
were to send multiple photons, then Eve would be able to intercept one pho¬ 
ton and transmit the remaining photons to Bob, executing a photon number 
splitting attack. And if photons were distinguishable, then interception one 
photon could give non-trivial information about another photon. 

Photon sources are classified as deterministic versus probabilistic. A de¬ 
terministic single photon source emits a single photon on demand, whereas a 
probabilistic source might emit more than one photon, and its photon emis¬ 
sion timing not be entirely on demand. One should note, however, that even 
the most ‘deterministic’ photon source might in practice exhibit probabilis¬ 
tic behaviour because, for example, photons might get lost during emission 
with some probability extraction loss'’). 

A common measure for the efficiency of a single-photon source is the 2nd 
order correlation function If = 1, this means that the number 

of photons emitted by the source follows a Poisson distribution, which is 
the distribution one would expect from completely random and uncorre¬ 
lated emissions. It is usually assumed that = 1 for attenuated lasers. 
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although, as pointed out by the European Telecom Standards Institute, stan¬ 
dard number GS QKD 003 Section 6.4.1 (ETSI, 2015), experiment hasn’t 
always born this out and perhaps further study is necessary e.g. when the 
diode is biased close to the lasing threshold (Dixon et at, 2009). The < 1 
situation is referred to as photon antibunching. In this case the probability 
of emitting one photon relative to the probability of emitting multiple pho¬ 
tons is higher than in a Poisson process. The ideal state is = 0, which 
means that we get a single photon 100 % of the time. 

The most common single photon sources are attenuated lasers, in which 
a laser beam is sent through a powerful attenuator which weakens it to 
the point that the probability of emitting one photon is greater than the 
probability of emitting multiple photons. Attenuated lasers are relatively 
cheap, convenient, and robust. 

When higher performance (lower 5 ^^^) is desired, the most common single¬ 
photon sources make use of parametric down-conversion (PDC). This type of 
source is not on-demand, but it probabilistically produces a pair of photons, 
one of which can be used as a heralding photon to instruct the detector 
to activate. This is a major advantage in QKD where it is important to 
minimize detector dark-count. The heralding photon could also be used as 
an entangled pair with the first photon, although here PDC makes it difficult 
in general to obtain the desired wavelength and phase-matching for the pair 
(Eisaman et at, 2011). 

A promising future technology is the use of nitrogen vacancy (NV) color 
centers in diamond as single photon sources. An NV center is a defect in a 
diamond lattice which occurs when a nitrogen atom is substituted for a car¬ 
bon atom, leaving a vacancy next to it. As single photon sources, NV centers 
are on-demand and exhibit low g^‘^\ The current challenges are that they 
are not identical, although some tunability has been demonstrated (Tamarat 
et at, 2006), and that the ‘shelving level’ reduces their efficiency. There are 
several proposed approaches to solving these problems {e.g. (Babinec et at, 
2010 )); but it is the promise of a single photon coupled with a long-lived 
spin qubit (the vacancy itself is an excellent qubit) that makes NV centers 
especially promising. Note also that must be thousands of optical defects in 
solids which could potentially be used for single-photon generation; only two 
of these have so far been seriously studied in this context (Santori, Fattal, 
& Yamamoto, 2010). 

There are many other single-photon sources, including single atoms, ions, 
and molecules, ensembles, quantum dots, nanowires, four-wave mixing, and 
mesoscopic quantum wells, but these do not currently seem as suitable for 
QKD as the sources discussed above. 
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An NV center used as a single photon source. Retrieved 
from http;//xqp.physik.uni-muenchen.de/research/single_ 
photon/index.html 


9. Transmission 

Quantum key distribution can be performed through fiber, through free 
space, or (experimentally) bounced off a satellite. The principles of send¬ 
ing photons through fiber and through free space are the same, but fiber 
provides a channel in which the amount of noise can be determined and 
even controlled to some extent, whereas the amount noise in a free-space 
channel is unknown (although sometimes one may try to estimate it as in 
e.g. (Gabay &: Arnon, 2005)) and typically is changing. Frequencies used to 
send photons are typically around 800nm for free space and around 1550nm 
for fibers. Experimental QKD usually uses dark fibers with no other signals 
passing through it, but real-world applications will typically involve sending 
messages through bright fibers which are carrying other signals. Scattering 
effects in bright fibers will raise the BER of Alice’s transmissions, and will 
cause more of Alice’s photons to ‘get lost on the way’. Despite this, by 
smartly time-filtering QKD photon and other communication photons, in 
1992 a team from Toshiba was able to obtain a secure bit-rate of 507KHz 
over a 95km bright fiber, several factors of 10 over what had been achieved 
previously (Patel et al, 2012). 

The greatest distance positive key rates have been experimentally ob¬ 
tained through fiber is 307km (Korzh et al, 2015) and through free space is 
144km between two Canary Islands (Ursin et al, 2007). The problem with 
free space transmission is atmospheric tnrbnlence— random flnctnations in 
the refractive index of air. One potential solntion is to bonnce the polar¬ 
ized photons off satellites. The distance to the International Space Station 
is 400km, bnt the atmospheric thickness is an order of magnitude smaller 
than the Canary Islands experiment. In 2014 a team from the University of 
Padna bounced photons off fonr satellites to show feasibility (Vallone et al., 
2014), and China claims to have done so as well, and aims to have a dedi¬ 
cated QKD satellite in orbit by 2016 (Yikra, 2014). When such technologies 
become practically viable, they will significantly increase free space QKD 
ranges. 
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Single crystal diamond nanowires for photon detection. Re¬ 
trieved from http://www.osa-opn.org/opn/media/Images/ 
photocontests/gallery09_36.jpg 


10. Hardware: Photon detection 

For Bob to receive qubits from Alice in the form of single photon po¬ 
larizations, Bob needs to have a good single photon detector. The main 
technological bottleneck in the development of practical and secure QKD 
systems for short to medium distances is the development of good single 
photon detectors. Thus, in the last few years, any improvement to single 
photon detection technology has immediately led to improved QKD capa¬ 
bilities. Our main reference for this section are (Eisaman et al, 2011) and 
(Hadfield, 2009). 

An ideal single photon detector for QKD should have 100% detection ef¬ 
ficiency (every photon sent to the detector should be successfully detected), 
0% dark count (the detector should not detect photons which were not sent 
to it), no dead time (the recovery time for the detector after it has detected 
a photon until it had detected another photon), and no timing jitter (the 
time between the photon’s arrival and its registration by the detector). Ad¬ 
ditionally, an ideal detector would have complete photon number resolution, 
meaning that it would be able to count the number of photons it had re¬ 
ceived. It would also be asynchronous, meaning that it need not know the 
arrival times of photons in advance. 

Low detection capacities and high dark counts create noise in the commu¬ 
nication channel, reducing its capacity. A low capacity channel is vulnerable 
to an intercept-resent attack, because it is difficult to detect eavesdropping 
in the presence of random noise (Section 12.1). High dead time reduces the 
channel bit rate, and creates a vulnerability to faked-state attacks and to 
time-shift attacks (Makarov et al., 2006; Burenkov et al, 2010; Makarov, 
2009). Timing jitter can lead to a leak of secret key information (Lamas- 
Linares & Kurtsiefer, 2007). Poor or nonexistent photon number resolution 
creates a vulnerability to photon number splitting attacks. 

A single photon detector typically works by converting a photon into 
a charge carrier which in turn triggers an avalanche process in a physical 
system which is held very close to a critical state, leading to a macroscopic 
current pulse. 

Superconducting nanowire single photon detectors (SNSPD) are the best 
single photon detectors known currently. They were first developed in 2001. 
They have high detection efficiency (ten times better than the best semicon¬ 
ductor detectors), low dark count, low dead time, and low time jitter. They 
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are also fully asynchronous. Their drawback is that they require cryogenic 
temperatures (< 2>K) to operate, which makes them bulky and expensive, 
and has limited their uses outside the lab. There is work being done, how¬ 
ever, on variations of SNSPD that can function at temperatures of over 2{)K, 
making them a promising future technology for military and government ap¬ 
plications (Wang, Miki, & Fujiwara, 2009). 

Single photon avalanche detectors (SPADs) are the single photon detec¬ 
tors which are most currently used in practice. They are cheap and compact, 
with high detection efficiency and low time jitter. They are also fully asyn¬ 
chronous. The challenge in building good SPADs has been afterpulsing, 
which is the phenomenon of a spontaneous dark count occurring shortly af¬ 
ter a photon detection. If we wait until afterpulsing ends before reactivating 
the SPAD, then we increase the dead time. 

There has recently been dramatic progress in SPAD design. In 2013, the 
University of Geneva Applied Physics team developed an InGaAs negative 
feedback avalanche diode (NFAD) single photon detector whose performance 
rivals many SNSPD systems, but which operates at temperatures of approx¬ 
imately 150-220 K (as opposed to < 3K for SNSPD systems) (Korzh et al, 
2014). Using these InGaAs NFADs, the same team were able in Febru¬ 
ary 2015 to demonstrate provably secure QKD transmission over 307km of 
optical fiber, which is the current record (Korzh et al., 2015). 

11. Auxiliary systems 

11.1. Random number generators. A QKD system is only as good as 
its random number generator. If Eve can predict Alice and Bob’s random 
choices, they she can read the entire key. The entire selling point of Quin¬ 
tessence Technologies is their random number generators. 

CPU-based random number generators are trusted for many classical 
cryptography tasks, and are implemented in most operating systems. The 
numbers they produce are not truly random, however, and therefore they are 
usually referred to as pseudorandom number generators. When higher speeds 
are required and when stronger random numbers are needed, hardware-based 
implementations are preferred. These come in two flavours— they either 
use filtered random physical processes within the FPGA as random num¬ 
ber seeds (Tsoi et-al, 2007; Kwok &: Lam, 2006), or they use less random 
seeds and strong permutations (Alimohammad et al., 2008; Cheung et al., 
2007; Xiang & Benkrid, 2009). Currently, both alternatives are considered 
cryptographically equivalent. 

In QKD, in order to physically guarantee unconditional security, quantum 
effects are desired for use as true random number generators (TRNG). A 
quick and dirty way to do this, for Alice at least, is to send an unpolarized 
single photon through a beam splitter— if it comes out one end then count 
that as a zero, and if it comes out of the other end count it as a 1. A more 
sophisticated version of this scheme which eliminates this bias is marketed 
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by Id Quantique, and another by Quintessence Technologies, and reaches 
rates of 16 KHz. Looking into the future, an experimental idea with great 
promise is to use quantum vacuum fluctuations for high bandwidth truly 
random number generation of up to lOOGHz (Jofre et al, 2011). 

We note that TRNGs arise as commercial spinoffs of QKD projects. 

11.2. Memories and repeaters. To extend the range of QKD beyond a 
few hundred kilometers, quantum repeaters will be necessary, which in turn 
will require quantum memories. A quantum memory absorbs a photon, 
stores its quantum states for as long as possible, and releases it on demand. 
A key feature is that it does not break entanglement. The primary candi¬ 
dates for practical quantum memories for QKD in the near future are Raman 
gas based quantum memories (Simon et ai, 2010) and quantum memories 
using NV centers (de Riedmatten & Afzelius, 2015). The advantages of the 
former include its greater capacity, while the advantages of the latter include 
that it is solid-state and that it allows longer storage times. It is still unclear 
which of these approaches will be best. 

It is still unclear which repeater technology will be best, although the first 
quantum repeaters which outperform direct transmission will probably be 
based on atomic ensembles, linear optics, and photon counting (Sangouard 
et al, 2011). 

Quantum memories and repeaters are expected to become a commercial 
technology within 10-15 years. 


12. Attacks 

While the protocols of QKD operating under certain conditions are uncon¬ 
ditionally secure, practical implementations have been successfully attacked. 
While none of these attacks is fatal to the QKD concept— effective coun¬ 
termeasures to each attack have been devised— it is generally agreed that 
the security of each setup should be the object of a dedicated study whose 
goal is to find and patch up all vulnerabilities (Scarani & Kurtsiefer, 2014). 

12.1. Intercept-resend. The simplest and most direct attack against BB84 
and its relatives is for Eve to intercept a photon sent by Alice to Bob, to 
measure that photon, to prepare her own photon encoding the bit which she 
measured, and to send that photon off to Bob. Because Eve doesn’t know 
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in which basis Alice’s photon was sent, she’ll measure in the wrong basis 
approximately half of the time and she will send a photon in the wrong 
basis to Bob approximately half of the time. An intercept-resend attack 
thus introduces a bit error rate (BER) of around 25%, although weaknesses 
in certain practical systems allow modified versions of this attack to intro¬ 
duce BERs of 19.7% (Xi, Qi, & Lo, 2010). Because acceptably BERs in 
commercial systems are around 8%, practical QKD is indeed secure against 
pure intercept-resent attacks, which are caught during the error-correction 
key-establishment phase— if the error rate is too high then Eve has been 
there. 

12.2. Photon Number Splitting (PNS). Due to hardware limitations, 
most photon sources used in QKD are not true single photon sources in 
the sense that there is a non-negligible probability that they will generate 
multiple photons to transmit a single qubit. If Alice sends two or more 
identical photons to Bob, then Eve can split off one photon and send the 
remaining photons through. Eve stores the qubit she has learnt in quantum 
memory until Alice has revealed her encoding basis. Then Eve measures her 
photons in the correct basis and gains information about the key. 

A successful photon number splitting attack requires sophisticated equipment- 
Eve must be able to count photons and to split off just one to quantum 
memory while sending others through. Moreover, various countermeasures 
have been developed. Better single-photon sources and modifications of the 
BB84 protocol, such as for instance SARG04, make successful PNS attacks 
much more difficult to carry out. Another solution is to use decoy states, 
in which photons are randomly sent at different intensities. The security of 
decoy state QKD against PNS attacks was proven in (Lo et al, 2005a). Be¬ 
cause a successful photon number splitting attack is much more difficult to 
carry out against decoy-state QKD, we can use attenuated lasers as photon 
sources when transmitting keys, increasing secure key-rates (Yuan, 2007). 
The current state-of-the-art for decoy-state QKD is 320MHz over a 200km 
fiber, yielding a 15Hz secure key rate (Liu et al, 2010). 

12.3. Timing attacks. When different light sources are used for beams in 
different polarizations, and/or different detectors are used to make different 
measurements, it may be possible to ‘listen in’ to which bit was sent or to 
which bases was used without actually intercepting a photon. Such side- 
channels were evident already in the first implementations QKD, as noted 
by Brassard (Brassard, 2005): 

The funny thing is that, while our theory had been seri¬ 
ous, our prototype was mostly a joke. Indeed, the largest 
piece in the prototype was the power supply needed to feed 
in the order of one thousand volts to Pockels cells, used to 
turn photon polarization. But power supplies make noise, 
and not the same noise for the different voltages needed for 
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different polarizations. So, we could literally hear the pho¬ 
tons as they flew, and zeroes and ones made different noises. 

Thus, our prototype was unconditionally secure against any 
eavesdropper who happened to be deaf ! :-) 

It is therefore critical to the security of the QKD system that different 
light-sources and detectors be indistinguishable to Eve. One particular vul¬ 
nerability is that different light sources and detectors may not be perfectly 
synchronized, so that Eve can figure out which detector clicked, for exam¬ 
ple, by examining the time signature publicly announced by Bob in order 
to determine which photon he detected of the photons sent by Alice. Such 
an attack could read-off > 25% of the key for a detector mismatch of 0.5 
nanoseconds, an amount that could easily go unnoticed (Lamas-Linares & 
Kurtsiefer, 2007). An attempt to carry out such an attack against a commer¬ 
cial system was unsuccessful because of several practical difficulties (Zhao 
et al, 2008). 

12.4. Trojan attacks. In a Trojan attack. Eve shines bright light at either 
Alice or Bob, determining which base was used by analyzing the reflection. 
The Trojan attack has successfully read off complete keys both in the lab 
(Gerhardt et al., 2011) and also of commercial QKD systems, QPN-5505 
from MagiQ Technologies and Clavis2 of IP Quantique (Lydersen et al., 
2010). This has been the most powerful and the best-performing hack on 
QKD so far. Although these specific attacks can be protected against, Tro¬ 
jan attacks using pulses of different wavelengths may still be able to hack 
complete keys, and we still do not know the full scope of the vulnerability 
of practical QKD systems to Trojan attacks (Jain et al., 2014, 2015). 

12.5. Other side-channel attacks. Many other attacks against QKD sys¬ 
tems have been investigated, and new vulnerabilities are periodically discov¬ 
ered. Some of these attacks (denial of service, man-in-the-middle,...) can be 
carried out against classical systems as well, and the vulnerability of QKD 
to these attacks is identical to the vulnerability of any classical protocol. 
Other attacks which take advantage of a weakness in an auxiliary system— 
e.g. a randomization attacks, in which the random bases are successfully 
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computed by Eve because the random number generator is faulty— can be 
counteracted by using better hardware. Of course each side-channel attack 
must be investigated and ruled out for each setup. 


13. Conclusion 

Quantum Key Distribution (QKD) is a modern form of trusted courier, 
which in principle allows Alice to communicate a message to Bob with com¬ 
plete conhdence that the message will not be eavesdropped on during trans¬ 
mission. Real-life QKD security, however, is a quantitative issue, and each 
setup should be individually studied to ensure its security. QKD is currently 
a focus of interest for many private, governmental, and military groups all 
over the world. 

Current state of the art setups still use the first QKD protocol, BB84, and 
its variants. The Cascade protocol is still the fastest for error correction, but 
LDPC is expected to overtake it as key rates rise. In both cases, hardware 
implementation using FPGA’s is the current state of the art and is likely to 
remain so for the next decade at least. 

Qubits are typically transmitted as polarized photons. Decoy-state QKD 
using attenuated laser pulses are the current state of the art photon sources, 
despite not being true single photon sources. NV centers are a promis¬ 
ing future technology. Polarized photons can be transmitted through hber, 
through air (free space), or bounced off satellites. There are various attempts 
to send polarized photons via bright fibers through which other messages 
are travelling, but the key rates being obtained are still quite low. 

Photon detectors are the main technological bottleneck for practical QKD. 
The current state of the art are InGaAs NFAD’s. A promising future tech¬ 
nology are SNSPD’s, which currently require cryogenic temperatures to op¬ 
erate, but future SNSPD’s be able to operate at above 20K. 

Memories and repeaters, which are thought to be required for QKD at 
ranges over around 400km, are still in the experimental stage, and it is too 
early to say which technology will be best. 

Security of QKD is a well-studied held, and there have been numerous 
attempts to attack QKD implementations both using standard attacks and 
also using side-channel attacks. Only one of these attacks, a Trojan attack, 
has successfully stolen a secret key, and the vulnerability it highlights can be 
plugged. QKD of course has the same vulnerability to classical attacks such 
as denial-of-service and man-in-the-middle as classical implementations. 

QKD is an exciting emerging technology which is beginning to enter the 
marketplace. We expect it to be successful in its own right, and also to serve 
as a stepping stone towards greater and higher goals in quantum communi¬ 
cation and computation. 
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